PRIVACY POLICY

Information Notice pursuant to Art. 13 EU Regulation 2016/679 (GDPR) and D.Lgs.
196/2003 Last revised on: 20 March 2026

At MIDI-Makers, building the worlds first global MIDI marketplace also means building it
right — and that starts with how we handle your data. This Privacy Policy explains what
personal data we collect when you visit www.midi-makers.com ("the Site"), why we collect it, and what rights you have over it.
By browsing this Site, you acknowledge that you have read and understood this policy.

What This Policy Covers
This policy applies to www.midi-makers.com in its current form — an informational landing page for the myMIDI platform, currently in Beta. At this stage, the Site does not process purchases, payments, user accounts, or shipments. Those activities will be governed by a separate, updated Privacy Policy published before the marketplace goes live. If you are already on our waitlist, we will notify you directly when that time comes.
Data Controller
‍The Data Controller is MIDI-MAKERS S.R.L., with registered office at Via Tiengo, 15 – Benevento (BN), Italy.
‍
For any privacy-related request, you can reach us at: amministrazione@midi-makers.com PEC: midi-makers@pec.it

No Data Protection Officer (DPO) has been appointed. Having assessed the conditions set out in Art. 37 GDPR, MIDI-MAKERS S.R.L. has determined that appointment is not currently mandatory: the Site processes personal data on a limited scale, does not handle special categories of data under Art. 9 GDPR, and does not carry out systematic, large- scale monitoring of individuals. Should a DPO be designated voluntarily or become required in the future, their contact details will be published in this policy without delay.
Processing Methods
‍The Data Controller collects the following types of Personal Data:
‍
(a) Data you choose to share:
Registration and/or contact data: personal details (name and surname), login credentials, and the email If you fill in our contact form, we collect your name and e-mail address to respond to your inquiry. If you join the myMIDI Beta Program waitlist, we collect your name and e-mail address on the basis of the pre-contractual relationship established by your sign-up request. Providing this information is entirely voluntary in both
cases — declining simply means we cannot get back to you or add you to the list. Thesign-up form includes a confirmation that you are at least 14 years of age, consistent with the requirements of Art. 2-quinquies D.Lgs. 196/2003. You are responsible for ensuringthat any third-party data you submit through the Site is shared with their knowledge and consent.
‍
(b) Browsing data:
When you visit the Site, our servers automatically collect technical information tied to your connection: IP address, browser type and version, operating system, pages visited, and access timestamps. This data is not used to identify you directly and is retained for a maximum of 7 days in raw form, and up to 12 months in
anonymous, aggregated form for statistical purposes only.
‍
(c) Cookies and similar technologies:
This Site uses technical cookies and third-party analytical cookies. Specifically, we use Google Analytics 4 (GA4), which collects certain identifiers by default (including a client ID stored in the _ga cookie and session data). Unlike its predecessor, GA4 does not rely on the anonymizeIp flag; instead, it applies data minimisation at collection level and does not log full IP addresses. However, GA4 does transmit other identifiers to Google LLC (USA) as a data processor. We have entered into a Data Processing Agreement with Google LLC, formally accepted via the Google Analytics Admin Console, and rely on the EU–US Data Privacy Framework as the transfer mechanism (see International Data Transfers below). Note that cookies are distinct from the server-level browsing data described in section (a) above, which is collected independently of any cookie. For full details on what cookies are set, their purpose, duration, and how to manage or withdraw your consent, please read our Cookie Policy at www.midi-makers.com/cookie-policy.
Why We Use Your Data and on What Legal Basis⁠
‍
We process your data only for specific, clearly defined purposes:
‍
Site security and operation — to keep the Site running safely and detect anomalies. Legal basis: legitimate interest of the Data Controller (Art. 6(1)(f) GDPR). We have carried out a three-step balancing assessment as follows: (i) Purpose — the interest pursued is the technical security of the Site and detection of anomalous access attempts, which is a legitimate and necessary operational objective; (ii) Necessity — log data is the minimum required to fulfil this purpose; no less intrusive means are available; (iii) Balancing — given that only technical connection data is retained (not content or behavioural profiles), that retention is limited to 7 days in raw form, and that users retain the right to object under Art. 21 GDPR, we have determined that our interest does not override the rights and freedoms of data subjects. A copy of the full assessment is available on request.

Retention: 7 days (raw logs), 12 months (anonymous aggregates).

‍
Responding to contact form submissions — to answer your questions and requests, where the inquiry has been voluntarily initiated by you. Legal basis: legitimate interest of the Data Controller in replying to a voluntarily initiated contact (Art. 6(1)(f) GDPR). A balancing assessment has been carried out and is available on request. Retention: 6 months from the date the request is closed. This period is sufficient to handle any follow-up questions relating to the same inquiry. Data is deleted as soon as the retention period expires unless a legal obligation requires otherwise.
‍
Beta Program waitlist and pre-launch communications — to keep you informed about the myMIDI launch and exclusive early access. Legal basis: Art. 6(1)(b) GDPR (processing necessary for pre-contractual measures taken at the request of the data subject), giventhat sign-up constitutes a request for early access to the platform. Where communications go beyond operational pre-launch notices (e.g. promotional messages), the additional legal basis is explicit and specific consent, freely given and revocable at any time (Art. 6(1)(a) GDPR). Retention: until you withdraw consent, or a maximum of 24 months from sign-up — whichever comes first.

Cookie-based analytics — to measure Site traffic and improve user experience via Google Analytics 4. Legal basis: consent, collected via cookie banner prior to any non- essential cookie being set (Art. 6(1)(a) GDPR; Art. 122 D.Lgs. 196/2003). Retention: as specified in the Cookie Policy.
Who Can Access Your Data⁠‍
We do not sell, trade, or rent your personal data. We may share it only to the extent strictly necessary with the following categories of service providers, all appointed as Data Processors pursuant to Art. 28 GDPR and contractually required to process data solely on our instructions and to maintain confidentiality:
1. Hosting and IT infrastructure providers
2. Email and communication platform providers
3. Web analytics providers — specifically Google LLC (USA), acting as Data
4. Processor under a Data Processing Agreement for Google Analytics 4. Data transfer to the USA is covered. by the EU–US Data Privacy Framework (see below).
5. Legal or technical advisors, where required by applicable law
6. Judicial or administrative authorities, where legally mandated
A list of current Data Processors is available on request by writing to
amministrazione@midi-makers.com.
International Data Transfers
Some of our service providers are located outside the European Economic Area. Where this is the case, transfers are carried out using one or more of the following mechanisms:
EU-US Data Privacy Framework — for transfers to US providers certified under the adequacy decision adopted by the European Commission on 10 July 2023 (Decision 2023/1795/EU).
‍
Standard Contractual Clauses (SCCs) — approved by the European Commission via Decision 2021/914/EU, supplemented where necessary by additional technical safeguards such as encryption and IP anonymisation, in accordance with EDPB Recommendations 01/2020.
‍
You can request the full list of transfers and applicable guarantees by writing to
amministrazione@midi-makers.com.
Your Rights
You have full control over your personal data. Under the GDPR (Arts. 15–21) and applicable Italian law, you can ask us at any time to:

1. Access the data we hold about you and receive a copy of it
2. Correct any inaccurate or incomplete information
3. Delete your data when it is no longer needed, or if you withdraw your consent
4. Restrict how we process your data in specific circumstances
5. Object to processing based on our legitimate interest. Where processing is carried out for direct marketing purposes, your right to object is absolute and unconditional. Where it is based on Art. 6(1)(f) for other purposes, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests
6. Port your data to another service in a structured, machine-readable format
7. Withdraw consent at any time, without affecting the lawfulness of processing
carried out before withdrawal
8. Lodge a complaint with the competent supervisory authority (see below)
‍
To exercise any of these rights, write to: amministrazione@midi-makers.com

We will respond within one month of receiving your request. In the case of particularly complex or numerous requests, this period may be extended by a further two months; we will notify you of any extension within the first month, explaining the reasons for the delay
(Art. 12(3) GDPR).
Complaints
If you believe we are handling your data unlawfully, you have the right to lodge a complaint — free of charge — with the Italian data protection authority:

Garante per la protezione dei dati personali www.garanteprivacy.it — garante@gpdp.it — garante@pec.gpdp.it Piazza Venezia, 11 — 00187 Roma, Italy

This right is without prejudice to any other administrative or judicial remedy available to
you.
Security
We apply technical and organisational measures proportionate to the risks involved: encrypted connections (HTTPS/TLS), access controls limited to authorised personnel, and regular backups.In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the Garante within 72 hours of becoming aware of it (Art. 33 GDPR). Where the breach is likely to result in a high risk to your rights and freedoms — for example, significant exposure of personal data or risk of identity theft — we will also communicate it to you directly, without undue delay (Art. 34 GDPR), unless the data involved was already encrypted or otherwise rendered unintelligible to any unauthorised party.
Minors
This Site is not directed at individuals under the age of 14. In accordance with Art. 2- quinquies of D.Lgs. 196/2003, minors under 14 may not give valid consent to the processing of their personal data in the context of information society services without the authorisation of a person holding parental responsibility. To support this requirement, the Beta Program sign-up form includes a mandatory confirmation checkbox stating that the user is at least 14 years of age. We do not knowingly collect data from children under 14. If we become aware that we have done so without verified parental consent, we will delete the data immediately. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at amministrazione@midi-makers.com.
Updates to This Policy
We may update this policy at any time to reflect legal, technical, or operational changes. When we do, the revised version will appear on this page with an update "Last revised date". For significant changes, we will notify waitlist members by email at least 14 days before the changes take effect. Continued use of the Site after the effective date constitutes acceptance of the updated policy.

PRIVACY POLICY

About-us

About-us